“This week in data privacy” is how we should view two potentially landscape-changing legal events tied to the impending General Data Protection Regulation
(GDPR). Why the tepid tone? Because a mere three months separate us from the May 25 GDPR compliance deadline and we're no closer to finding the nexus where security, data privacy and the greater good intersect than we were years ago.
Actually, the rub is we can't locate that sweet spot because there are no clean answers, at least not ones that put the privacy/security/access debate to rest to the satisfaction of all. The first possibility might come in newly proposed legislation by the European Union (EU) to compel companies to hand over their customers’ personal data on request even if that information is housed on servers outside the EU block of 28 countries, Reuters
reported. While that idea has the whiff of an overreach, it's a lock to rankle heavyweights such as Apple, IBM and Microsoft, each of which has made data privacy a rallying cry. It won’t make privacy advocates all too happy either.
Microsoft vs. Justice Department: Email Privacy
It’s difficult not to notice the timing of the suggested EU legislation, coinciding as it does with the U.S. Supreme Court hearing oral arguments on Tuesday in Microsoft’s pitched battle with the Justice Department
. The issue revolves around Microsoft’s refusal to turn over the substance of the emails stored on its Ireland-based servers that U.S. federal authorities believe pertains to a drug trafficking investigation dating to 2013.
Key issues the Court will be asked to resolve directly include:
- Can federal authorities force U.S. technology companies to access and relinquish data housed anywhere in the world by citing the 1986 Stored Communications Act written long before the Internet age?
- If data is accessible in the U.S. but resides overseas does that make it automatically subject to U.S. communications law?
- What is the determining factor for access: Where data is stored or who controls it?
- Exactly how far (both geographically and philosophically) can technology companies extend to protect customer data?
European Union and Data Privacy
Here’s how Microsoft’s case aligns with the EU’s proposed law: It doesn’t, which is a bit odd in itself because you'd think it would. Last year, the European Commission, representing the EU, filed a legal brief in support of Microsoft saying that when a country is seeking data from outside its jurisdiction "the interests and laws of that foreign jurisdiction must be taken into account."
But under the EU's proposed law, which should move through the draft process in March, officials could gain access to anyone’s personal data extending to non-EU nations if it was tied somehow to an ongoing investigation, Reuters
reported. The possibilities are endless and clearly, the EU’s thinking has changed. European Justice Commissioner Vera Jourova told Reuters
the way cross-border evidence is currently accessed is “very slow and non-efficient” and that law enforcement had to be more nimble than cyber criminals.
As expected, Microsoft is casting thumbs down on the potential law. John Frank, Microsoft VP for EU government affairs, termed it a “bad idea,” Reuters
reported. ““I think the international law is pretty clear that police jurisdiction exercised outside your territory infringes the sovereignty of other countries,” he said.